How To Install OpenVPN on CentOS 8

Windows Articles

How to get the Nextcloud desktop client on Linux?

Hello friends. We already know how to install a Nextcloud server but now the client is missing. So in this post, you...

How to Backup your call and SMS history in Android

Many times we find ourselves in the situation of having to change our phone, for different reasons, and one of the questions...

Install and configure Apache Guacamole on Debian 10

Hello, friends in this post, you will learn how to install and configure Apache Guacamole in Debian 10. It will be a...

Ubuntu 20.10 available

The new version of Ubuntu is now available, under the code name "groovy gorilla". Ubuntu 20.10 focuses on improving and refining the...

Monitoring Ubuntu 20.04 with Stacer

Normally if we use Linux on a production server, it is important to monitor it. On the other hand, in everyday use, many users...

Today we are going to learn that how to install OpenVPN on Centos 8. First of all let’s have a short introduction about it. A VPN “Virtual Private Network” is a technology that permits you to create a fully secured network over the Internet. This may lets you encrypt your internet visitors and shield your online identity. It is in general used to connect business networks securely over the Internet & allows you to attach a enterprise network from anywhere.

In simple terms, a VPN connects your Cellular, Computer, & Tablet to any other computer (server) over the Internet and lets in you to access the Internet.
It will connect you using that server’s internet and also get entry to the local community via bypassing Internet censorship remotely. VPN has many other different advantages you can google them for learning in more details.
So, today we will learn that how we can Install VPN on our CentOS 8 system to stay secure and browser different activities securely. Just follow the below steps for an easy installation.

Step 1: Update your system

As usual we do, update your system by runnig

sudo yum update && sudo yum upgrade

Step 2: Disable SELinux

After updating system don’t forget to disable SELinux before further proceeding. Open the file /etc/selinux/config & then change the following line to disable SELinux

sudo nano /etc/selinux/config
SELINUX=disabled

Then save the file & exit.

Step 3: Enable IP Forwarding

Now, enable the IP forwarding in CentOS 8. It will allows the coming packets & then forward it to the network when destination is on another network.

For enabling IP Forwarding type

sudo nano /etc/sysctl.conf

Then add the following line

net.ipv4.ip_forward = 1

After it save the file & exit.

Step 4: Installing OpenVPN Server

If you’ve already installed EPEL repository in your system, leave the first step below. If you don’t have install it by

sudo dnf install epel-release -y

After it run the command to install OpenVPN server

sudo dnf install openvpn -y

When the installation finished, switch to the /etc/openvpn directory & download the easy-rsa for Security purposes.

cd /etc/openvpn
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz

Then extract the downloaded package.

sudo tar -xvzf EasyRSA-unix-v3.0.6.tgz

And move the resulting

sudo mv EasyRSA-v3.0.6 easy-rsa

Step 5: Configuring Easy RSA

As for security reasons, we’ve to add SSL certificates. And for these purposes configure the Easy RSA on our system.

Switch to the /etc/openvpn/easy-rsa directory & create a new file

cd /etc/openvpn/easy-rsa
sudo nano vars

Then paste the below content into the file

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "PAKISTAN"
set_var EASYRSA_REQ_PROVINCE "PUNJAB"
set_var EASYRSA_REQ_CITY "MULTAN"
set_var EASYRSA_REQ_ORG "osradar CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "admin@osradar.com"
set_var EASYRSA_REQ_OU "osradar EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "osradar CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"

Note: Replace the country, province, city & email address with yours.

Save the file & exit.

After it run the command to initiate the PKI directory.

./easyrsa init-pki

Output:

You’ll see the output like this.

how to install openvpn on centos 8

Now, build the CA certificates

sudo ./easyrsa build-ca

Output:

how to install openvpn on centos 8

Note: You’ll be given two files named as ca.key & ca.crt from the above running command. You can use them while logging in to server & clients.

Step 6: Generating Server Certificate Files

Now, run the command to generate the key-pair & certificate request.

sudo ./easyrsa gen-req osradar-server nopass

Output:

Here’s output sample

how to install openvpn on centos 8

Step 7: Sign the Server Key Using CA

Now, sign in the osradar-server key with the help of your CA certificate.

To do this just fire the command

sudo ./easyrsa sign-req server osradar-server

Output:

You will see the output like this

how to install openvpn on centos 8
openssl verify -CAfile pki/ca.crt pki/issued/osradar-server.crt 

You’ll see the similar output upon successful configuration.

pki/issued/osradar-server.crt: OK

Now, generate the Diffie-Hellman key for exchange key purposes

sudo ./easyrsa gen-dh

Output:

how to install openvpn on centos 8

As you finished all these just copy them to the /etc/openvpn/server/ directory

cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/osradar-server.key /etc/openvpn/server/
cp pki/issued/osradar-server.crt /etc/openvpn/server/

Step 8: Generating Client Certificate & Key File

Generate the client key file using

sudo ./easyrsa gen-req client nopass

Output:

how to install openvpn on centos 8

Now, sign the client key with the help of your CA certificate

sudo ./easyrsa sign-req client client

Output:

how to install openvpn on centos 8

After finishing these changes, copy them to the /etc/openvpn/client/ directory

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

Step 9: Configuring OpenVPN Server

Make a new config file under the /etc/openvpn/client with your favourite editor

sudo nano /etc/openvpn/server/server.conf

Then paste the below content into it.

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/osradar-server.crt
key /etc/openvpn/server/osradar-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3

After it save & exit the file.

Step 10: Start OpenVPN Services

Simply run the command below to start & enable the OpenVPN Services

sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server

Make sure that the status is active by

systemctl status openvpn-server@server
how to install openvpn on centos 8

Upon successful setup, OpenVPN Server will create a new network interface. Check it by typing

ifconfig

Output:

how to install openvpn on centos 8

Step 11: Generating Client Configuration File

It is necessary to generate the client configuration file in order to connect to the OpenVPN server from the client system.

sudo nano /etc/openvpn/client/client.ovpn

Then paste the below data into it.

client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save & exit the file

Step 12: Configuring Routing

Allow the service through the firewalld by typing

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0

And then add the MASQUERADE on the default zone.

firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade

After it allow the coming requests from VPN to local system (VPN Network to local network)

osradar=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $osradar -j MASQUERADE

Reload the changes

firewall-cmd --reload

Step 13: Use OpenVPN from Clients

To use the OpenVPN from the client machine, you’ve to install the OpenVPN package with the following command

dnf install epel-release -y
dnf install openvpn -y

After it download the OpenVPN client config files from server to client system.

Run the given command on client system

scp -r root@vpn-server-ip:/etc/openvpn/client  .

As it get finished switch to the client directory and type

cd client
openvpn --config client.ovpn

When the connection becomes successful, OpenVPN will assign the IP address to your system. Type the command to verify it.

ifconfig tun0

So, this is how you can configure and install the OpenVPN server and client on CentOS 8.

More articles

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

How to get the Nextcloud desktop client on Linux?

Hello friends. We already know how to install a Nextcloud server but now the client is missing. So in this post, you...

How to Backup your call and SMS history in Android

Many times we find ourselves in the situation of having to change our phone, for different reasons, and one of the questions...

Install and configure Apache Guacamole on Debian 10

Hello, friends in this post, you will learn how to install and configure Apache Guacamole in Debian 10. It will be a...

Ubuntu 20.10 available

The new version of Ubuntu is now available, under the code name "groovy gorilla". Ubuntu 20.10 focuses on improving and refining the...

Monitoring Ubuntu 20.04 with Stacer

Normally if we use Linux on a production server, it is important to monitor it. On the other hand, in everyday use, many users...
x